Back to ABAIKUNANBAEV's contests

Acala - ABAIKUNANBAEV's results

Building the liquidity layer of Web3 finance.

General Information

Platform: Code4rena

Start Date: 22/03/2024

Pot Size: $36,500 USDC

Total HM: 7

Participants: 17

Period: 14 days

Judge: Lambda

Id: 323

League: POLKADOT

Acala Network

Findings Distribution

Researcher Performance

Rank: 12/17

Findings: 1

Award: $542.32

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryAcala Network

Findings Information

🌟 Selected for report: n4nika

Also found by: ABAIKUNANBAEV, djxploit

Labels

bug
2 (Med Risk)
downgraded by judge
satisfactory
sufficient quality report
:robot:_10_group
duplicate-103

Awards

542.3188 USDC - $542.32

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2024-03-acala/blob/main/src/modules/incentives/src/lib.rs#L503

Vulnerability details

Impact

Inside of incentives pallet, there is a deduction rate that represents a penalty if the user decides to claim his rewards early. The problem is that if that's a partial removal of shares, the user can still get rewards for these shares but the deduction rate will go to the pool and the user will be able to get rewards again but for the remaining amount of shares.

Proof of Concept

  1. The user has 100 shares and decides to partially remove some of the shares and calls withdraw_dex_share(). This function, in its turn, calls do_withdraw_dex_share() where there is another call to the rewards pallet and remove_share() function where the rewards will be claimed:

https://github.com/code-423n4/2024-03-acala/blob/main/src/modules/incentives/src/lib.rs#L533

	<orml_rewards::Pallet<T>>::remove_share(who, &PoolId::Dex(lp_currency_id), amount.unique_saturated_into());

https://github.com/code-423n4/2024-03-acala/blob/main/src/orml/rewards/src/lib.rs#L197

Self::claim_rewards(who, pool);

Deduction rate that represents some form of a penalty is calculated and substracted from the withdrawal amount and then reaccumulated to the pool meaning that the user will still have the opportunity to claim part of this amount (not all of this as there are other users in the pool) but some of it making his penalty less than it should be:

https://github.com/code-423n4/2024-03-acala/blob/main/src/modules/incentives/src/lib.rs#L451-456

match Self::payout_reward_and_reaccumulate_reward(
						pool_id,
						&who,
						*currency_id,
						payout_amount,
						deduction_amount,

https://github.com/code-423n4/2024-03-acala/blob/main/src/modules/incentives/src/lib.rs#L503

<orml_rewards::Pallet<T>>::accumulate_reward(&pool_id, reward_currency_id, reaccumulate_amount)?;

Therefore, if deduction rate is set to 0.05% if the users claim before one month then this amount will be reaccumulated and the user may wait until the period and get the rewards without deduction rate for his remaining 50 shares + part of the amount that was reaccumulated (another part of it will go to the other people in the pool). It basically allows to get the less penalty than it should be

Tools Used

Manual review.

Change the reaccumulation mechanism.

Assessed type

Other

#0 - c4-pre-sort

2024-04-07T13:01:46Z

DadeKuma marked the issue as duplicate of #103

#1 - c4-pre-sort

2024-04-07T13:41:44Z

DadeKuma marked the issue as sufficient quality report

#2 - c4-judge

2024-04-09T16:15:30Z

OpenCoreCH marked the issue as satisfactory

#3 - c4-judge

2024-04-10T07:48:14Z

OpenCoreCH changed the severity to 2 (Med Risk)

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter